Compliance call recording
In every country and the US, compliance call recording is the legally required process of capturing (recording) phone calls in a manner that adheres to specific local, national, and global regulations. Call recording originated among the world’s most heavily regulated industries, such as financial services and healthcare, to protect both the consumer and business. These days, call recording is no longer treated as a necessary evil (due to the vast amounts of data created) but rather an opportunity to attain business intelligence from every conversation and for every business.
Global and national compliance laws
While very few regulations are globally applicable, national laws can have an effect beyond their target country because of country-to-country commerce, like GDPR and CPPA.
These regulations often require us to establish consent with the called party, which is only provable with a recording of the call. Consent reasons range from customer permission to carry out financial transactions on their behalf, look up personal data, record the current call, finalize purchases, and so on.
State and local compliance laws
In the United States, call compliance laws regulating call recording vary from state to state. California recording laws may not match Florida recording laws, making it vital to understand call recording laws by state. While call recording regulations differ locally and globally, the financial penalties for violating these laws, especially when data breaches occur, are steep and financially damaging to any enterprise.
Notification of call recording
The Federal Communications Commission (FCC) requires notification of call recording and defines the acceptable means of notification as:
- Prior verbal or written notification of all parties to the telephone conversation.
- Verbal notification before the recording is made. This is the most commonly used type.
- An audible beep tone repeated at regular intervals during the call.
Two-party consent States
Currently, 12 states require the verbal consent of all parties on a phone call to deem the recording lawful. This is referred to as two-party consent, and it’s currently enacted in the following states (exceptions noted):
- California
- Connecticut (required if and when a 3rd, non-participating party records the conversation. When recordings are made in-person, one party consent will suffice)
- Florida
- Hawaii (two-party consent is required when the recording device resides in a separate or private location)
- Illinois (two-party consent, but not for electronic communications)
- Maryland
- Massachusetts (bans secretive recordings, uniquely, Massachusetts has a public location exception)
- Montana (requires notification of recording, but not spoken consent)
- New Hampshire
- Oregon (electronic communications require only one-party consent. Two-party is necessary for in-person recorded conversations)
- Pennsylvania
- Washington (but Washington law validates permission when any party announces recording is taking place in a reasonable manner and if the recording captures the announcement)
Consider call recording for call (contact) centers
To any call center manager, regulatory compliance is a top priority. For this reason, managers expend time and funding for their call center on compliance training. Employing a scripted greeting is proven to keep your call recordings compliant. However, there are several ways to make obtaining informed consent easier.
Recording inbound & outbound calls
Inbound call consent
Most inbound customer calls are picked up automatically by an Interactive Voice Response (IVR) system that plays a message. Depending on what state or country your business resides in, having your IVR tell the inbound caller that “this call is being recorded for quality and training purposes” will satisfy consent.
However, not every state has the same support and customer service call recording laws. While it saves time and takes human error out of the way, it may not strike the tone you’re looking for on a sales call. Customers’ moods can quickly downshift merely because they are greeted by an IVR system and not a person.
Outbound call consent
When your company makes an outbound call, obtaining consent becomes more difficult. The calling agent must immediately inform the called party (or parties) that the call is being recorded. If parties join the conversation while the call is in progress, consent must be obtained again.
Many live agents handle this disclosure right in their introduction. For example “Hi, my name is Sarah from Company A on a recorded line”.
What if I don’t start my calls with a live agent?
Many companies use auto-dialers that will play a message informing the customer of the call recording before the agent picks up. This method may not be optimal because auto and predictive dialers tend to annoy customers before the call starts. In the big picture, how you obtain consent can be personal and seen as considerate by the customer, or it can be impersonal and imposing.
Making your agents responsible for obtaining consent does introduce the possibility of human error. However, with training and the number of CRM tools available in the marketplace, these errors can be minimized.
Suppose, you do not want to open your call with a recording notification. In that case, we recommend you rather use a record on-demand function to record only the required portions of the call – for example, after a different notification script is used later in the call.
Call center PCI compliance
As stated in one of our previous articles, whenever a customer gives your company a bank or credit card number, your company is subject to PCI DSS compliance. Since the customer gave the card number over the phone, it gets recorded and possibly transcribed by a speech-to-text application. Immediately, that data exists in 2 different recording media and is vulnerable.
PCI DSS laws mandate the protection of that data through masking and redaction.
Masking alters the audio recording to encrypt sensitive speech segments, namely the numbers spoken on the call, while leaving the rest of the recording listenable. This encryption renders even a stolen recording useless to a malicious party.
To comply, your audio recordings and text transcriptions should go from having vulnerable numbers (credit card, account, phone and social security) in them to looking like this image. It’s wise to equip your call center with recording software automatically performs masking and redaction.
Call compliance for financial institutions
Hospitals, insurance agencies, banks, investment firms, brokerages, and enterprises of every sort are subject to financial compliance laws like:
Dodd-Frank: Governs consumer lending, including credit and debit cards
MAD II & MiFID II—Market Abuse Directive, Markets in Financial Instruments Directive: Concerned with providing increased investor protection in EU financial trading venues
FDCPA—Fair Debt Collection Practices Act: Prohibits debt collection through deceptive or abusive means
TILA—Truth In Lending Act: Protects consumers through mandated disclosure of key lending terms
Overall, these regulations mandate accountability for financial data passing between the company and the customer. They also dictate security requirements for storing call recordings and text media.
The fines for violations of these regulations can deeply damage any enterprise. In all of these laws, call recording is not only required; it is a company’s best line of defense in the event of a dispute.
Compliance is the first step to establishing cause in any dispute, and if the dispute goes to litigation, the validity of a compliance recording can be questioned. For that reason, redundant Cloud storage with military-grade encryption is highly recommended. Your recordings, transcripts, and agent screen recordings (if you have them) all help you establish authenticity.
Call recording and HIPAA compliance
When a medical practice, hospital, or health insurance company speaks to patients and customers over the phone, HIPAA—the Health Insurance Portability and Accountability Act, regulates recorded communications. If you’ve set up your operation for informed consent, PCI redaction, and encrypted storage, you might think you’re all set for HIPAA. However, there’s one last place you might need to shore up your compliance recording methods:
In healthcare markets, there are pieces of information providers can neither give over the phone nor by email. The solution is faxing, and because faxing is faster than other ways of sending data, its use has actually increased.
Online faxing produces an image file every time an online fax is sent. Millions of images with critical patient information are stored annually, and those images should be treated with the same concern your transcripts and call recordings are. The right call recording platform can be used to stay compliant anywhere you are in the world and no matter what industry you’re in.
To learn more about how CallCabinet can help manage your call compliance needs, reach out to us today.